package com.example.videoplayer.config;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
import org.springframework.security.config.web.server.ServerHttpSecurity;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.server.SecurityWebFilterChain;
import org.springframework.security.web.server.context.ServerSecurityContextRepository;
import org.springframework.security.web.server.context.WebSessionServerSecurityContextRepository;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.reactive.CorsConfigurationSource;
import org.springframework.web.cors.reactive.UrlBasedCorsConfigurationSource;

@Configuration
@EnableWebFluxSecurity
public class SecurityConfig {

    @Bean
    public SecurityWebFilterChain springSecurityFilterChain(ServerHttpSecurity http) {
        return http
            .cors().configurationSource(corsConfigurationSource()).and()
            .csrf().disable()
            .httpBasic().disable()
            .formLogin().disable()
            .securityContextRepository(securityContextRepository())
            .authorizeExchange()
                // 认证接口
                .pathMatchers("/api/auth/**").permitAll()
                // 静态资源
                .pathMatchers("/").permitAll()
                .pathMatchers("/index.html").permitAll()
                .pathMatchers("/static/**").permitAll()
                .pathMatchers("/css/**").permitAll()
                .pathMatchers("/js/**").permitAll()
                .pathMatchers("/images/**").permitAll()
                // 视频资源
                .pathMatchers("/videos/**").permitAll()
                .pathMatchers("/hls/**").permitAll()
                // API 接口
                .pathMatchers(HttpMethod.GET, "/api/videos/**").permitAll()
                .pathMatchers("/ws/**").permitAll()
                // 管理员功能
                .pathMatchers(HttpMethod.POST, "/api/videos/upload").hasAuthority("ROLE_ADMIN")
                .pathMatchers("/api/admin/**").hasAuthority("ROLE_ADMIN")
                // 其他请求
                .anyExchange().permitAll()
            .and()
            .build();
    }

    @Bean
    public ServerSecurityContextRepository securityContextRepository() {
        return new WebSessionServerSecurityContextRepository();
    }

    @Bean
    public CorsConfigurationSource corsConfigurationSource() {
        CorsConfiguration configuration = new CorsConfiguration();
        configuration.addAllowedOrigin("*");
        configuration.addAllowedMethod("*");
        configuration.addAllowedHeader("*");
        configuration.setAllowCredentials(true);
        
        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/**", configuration);
        return source;
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }
} 